Workplace for Civil Rights Updates Enforcement for Medical Information Proper of Entry

By Jason Wilson Last updated Aug 10, 2021

Right of Access Initiative

The Office for Civil Rights (“OCR”) continues to vigorously enforce a person’s right to access their medical records. OCR recently announced the nineteenth settlement as part of their right of access initiative.

In 2019, OCR announced that it would focus its enforcement efforts on ensuring patients receive their medical records on time, in accordance with the format and fee requirements of the HIPAA Privacy Policy. Since that time, OCR has closed 19 settlements between $ 5,000 and $ 200,000, including several individual vendor settlements to address companies’ failure to give patients access to their medical records. OCR has announced five of these settlements since January, despite the change in administration, which usually results in a pause in settlement proceedings for at least a few months until the new leadership is brought up to date.

As part of the recent settlement, Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”), a West Virginia-based practice providing the treatment of endocrine disorders, agreed to take corrective action and pay $ 5,000 to after no mother was provided access to her minor child’s medical records. According to OCR, the mother requested the records in July 2019, but DELC didn’t make them available until May 2021, almost two years after the mother’s original request and well beyond the 30-day period required by HIPAA. Similar to other settlements under the “Right of Access” initiative, DELC also approved a corrective action plan (“CAP”) with a two-year monitoring period that provides for the following measures:

Review and revise policies and procedures related to an individual’s access to PHI;
Providing annual education and training materials to all employees regarding an individual’s access to PHI; and
Every ninety days during the term of the CAP, submit a list of PHI access requests that DELC receive every ninety days.

Based on OCR’s continued focus on enforcing an individual’s right to access, companies should prioritize lawful responses to access requests and address any access-related issues that are brought to their attention immediately.

Recent security rule comparisons

In addition to the Right of Access Initiative settlements, OCR has closed two more settlements in the past few months to address potential violations of the HIPAA security rule. In May, OCR announced that Peachstate Health Management, LLC has approved dba AEON Clinical Laboratories (“Peachstate”), a Georgia-certified laboratory under the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”), for $ 25,000 Pay OCR. OCR initiated a Peachstate HIPAA compliance review in December 2017 after OCR investigated Peachstate’s parent company in connection with a parent company’s violation. OCR’s investigation of Peachstate revealed systemic non-compliance with the HIPAA security rule, including failure to conduct an enterprise risk analysis, implement risk management and audit controls, and document the policies and procedures of the HIPAA security rule. In addition to paying $ 25,000 to settle the case, Peachstate agreed to a relatively robust CAP that included hiring an independent monitor and a three-year surveillance period.

In January, Excellus Health Plan, Inc. (“Excellus”), a New York-based health plan, agreed to pay $ 5.1 million in connection with a violation that affected more than 9.3 million people . Excellus reported that cyber attackers were given access controls to its information systems on or before December 23, 2013 through May 11, 2015.

In addition to the specifications of the HIPAA Security Rule for risk analysis and implementation of risk management, organizations continue to have difficulty verifying the activity of information systems. We recommend that you ensure that your organization regularly reviews records of information system activity, such as audit logs and access reports, for unusual activity that could identify security incidents.

Recognized security practices

In early January 2021, the previous government signed Law HR 7898, which amends the Health Information Technology for Economic and Clinical Health (“HITECH”) law to require HHS to consider the implementation of “recognized safety” practices by affected companies and business partners “When imposing fines or penalties under the HIPAA security rule.

Although HHS has not conducted a formal rulemaking process and has not yet implemented the law, OCR has begun to request the following evidence of companies’ implementation of “recognized security practices” as part of an ongoing investigation:

Policies and procedures related to the implementation of “recognized security practices”;
Completed project plans or similar documents showing the implementation dates of “recognized safety practices”;
Documentation explaining how “best security practices” are implemented (e.g. the extent to which they are implemented across the company);
The names of all persons responsible for ensuring “recognized safety practices” are implemented by the company’s employees;
Employee training materials relating to “Safety Best Practices” and the timing of such training; and
Documentation as to whether the “recognized safety practices” have been developed under:
- Section 2 (c) (15) of the National Institute of Standards and Technology (“NIST”) Act;
- Section 405 (d) of the Cybersecurity Act of 2015; and or
- Other programs and processes that address cybersecurity that are developed, recognized, or promulgated by regulations from other regulatory agencies.

While it is still unclear what HHS refers to as “best security practices,” it seems likely that implementation of any of the following security standards would meet the law’s documentation requirements: NIST Special Publications Guidance, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Guidance, and any additional programs that meet specific legal requirements.